Smart retail analytics and commercial messaging

ABSTRACT

A real-time fraud prevention system enables merchants and commercial organizations on-line to assess and protect themselves from high-risk users. A centralized database is configured to build and store dossiers of user devices and behaviors collected from subscriber websites in real-time. Real, low-risk users have webpage click navigation behaviors that are assumed to be very different than those of fraudsters. Individual user devices are distinguished from others by hundreds of points of user-device configuration data each independently maintains. A client agent provokes user devices to volunteer configuration data when a user visits respective webpages at independent websites. A collection of comprehensive dossiers of user devices is organized by their identifying information, and used calculating a fraud score in real-time. Each corresponding website is thereby assisted in deciding whether to allow a proposed transaction to be concluded with the particular user and their device.

BACKGROUND OF THE INVENTION Field of the Invention

The present invention relates to automated systems for understandingcustomer needs from their online behaviors, and more particularly tosoftware-as-a-service merchant systems able to formulate suitablecommercial messages and offers to merchants' customers.

Background

Commercial messages that have no relevance or importance to a consumerare easy for them to ignore and dismiss. Do it enough, and the consumerswill get annoyed by the noise. Consumers have learned to tune out whenthey have been bombarded with rudderless billboards, letters, radio andTV spots, and now emails and pop ups on webpages. Very rarely doessomething interesting or relevant present itself, and those that do gettossed out with the ad hoc spam filters we all create.

People generally behave in consistent ways that make their futurebehaviors predictable, at least to some extent. Consumer behavior andpredictions are bit easier to observe and to forecast because sales datais very objective. Messages generated from these observations andforecasts would also be better received since they would be morebusinesslike and less personal. Insulting, embarrassing, andintimidating messages will, of course, completely turn off anyone, somessages that could have these affects are to be scrupulously avoided ifone hopes to succeed in a line of business.

Herein we use the term “smart agent” to describe our own uniqueconstruct in a fraud detection system. Intelligent agents, softwareagents, and smart agents described in the prior art and used inconventional applications are not at all the same.

Sometimes all we know about someone is what can be inferred by thesilhouettes and shadows they cast and the footprints they leave. Who isbehind a credit card or payment transaction is a lot like that. We canonly know and understand them by the behaviors that can be gleaned fromthe who, what, when, where, and (maybe) why of each transaction andseries of them over time.

Cardholders will each individually settle into routine behaviors, andtherefore their payment card transactions will follow those routines.All cardholders, as a group, are roughly the same and produce roughlythe same sorts of transactions. But on closer inspection the generalpopulation of cardholders will cluster into various subgroups and behavein similar ways as manifested in the transactions they generate.

Card issuers want to encourage cardholders to use their cards, and wantto stop and completely eliminate fraudsters from being able to pose aslegitimate cardholders and get away with running transactions through topayment. So card issuers are challenged with being able to discern whois legitimate, authorized, and presenting a genuine transaction, fromthe clever and aggressive assaults of fraudsters who learn and adapt alltoo quickly. All the card issuers have before them are the millions ofinnocuous transactions flowing in every day.

What is needed is a fraud management system that can tightly follow andmonitor the behavior of all cardholders and act quickly in real-timewhen a fraudster is afoot.

SUMMARY OF THE INVENTION

Briefly, an artificial intelligence fraud management solution embodimentof the present invention comprises a development system to generate apopulation of virtual smart agents corresponding to every cardholder,merchant, and device ID that hinted at during modeling and training.Each smart agent is nothing more than a pigeonhole and summation ofvarious aspects of every transaction in a real-time profile of less thanninety days and a long-term profile of transactions older than ninetydays. Actors and entities are built of no more than the attributes theexpress in each transaction. In fact, smart agents themselves take noaction on their own and are not capable of gesticulations. They aremerely attributes, descriptors, what can be seen on the surface.

The above and still further objects, features, and advantages of thepresent invention will become apparent upon consideration of thefollowing detailed description of specific embodiments thereof,especially when taken in conjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is functional block diagram of an artificial intelligence fraudmanagement solution embodiment of the present invention;

FIG. 2A is functional block diagram of an application development system(ADS) embodiment of the present invention for fraud-based targetapplications;

FIG. 2B is functional block diagram of an improved and updatedapplication development system (ADS) embodiment of the present inventionfor fraud-based target applications;

FIG. 3 is functional block diagram of a model training embodiment of thepresent invention;

FIG. 4 is functional block diagram of a real-time payment fraudmanagement system like that illustrated in FIG. 1 as applied paymentfraud model;

FIG. 5 is functional block diagram of a smart agent process embodimentof the present invention;

FIG. 6 is functional block diagram of a most recent fifteen-minutetransaction velocity counter;

FIG. 7 is functional block diagram of a cross-channel payment fraudmanagement embodiment of the present invention;

FIG. 8 is a diagram of a group of smart agent profiles stored in acustom binary file;

FIG. 9 is a diagram of the file contents of an exemplary smart agentprofile;

FIG. 10 is a diagram of a virtual addressing scheme used to accesstransactions in atomic time intervals by their smart agent profilevectors;

FIG. 11 is a diagram of a small part of an exemplary smart agent profilethat spans several time intervals;

FIG. 12 is a diagram of a behavioral forecasting aspect of the presentinvention;

FIG. 13 is a diagram representing a simplified smart agent profile andhow individual constituent datapoints are compared to running norms andare accumulated into an overall risk score;

FIG. 14 is a functional block diagram of a modeling and operationalenvironment in which an application development system is used initiallyto generate, launch, and run millions of smart agents and theirprofiles;

FIG. 15 is functional block diagram of a computer program product forcentralized hosting of business applications as a software-as-a-service(SaaS) product installed on a payments processor;

FIG. 16 is a flowchart diagram of a top level computer process useful inthe SaaS product of FIG. 15 ;

FIG. 17 is a flowchart diagram of how user devices can be accuratelycategorized by a five-layer identification process that includesendpoint, navigation, single-channel, multi-channel, and entity linkanalyses; and

FIG. 18 is a flowchart diagram of how the word contexts in webpages canbe artificially understood and worked with by a computing machine; and

DETAILED DESCRIPTION OF THE INVENTION

Smart agent embodiments of the present invention recognize that theactors and entities behind payment transactions can be fully understoodin their essential aspects by way of the attributes reported in eachtransaction. Nothing else is of much importance, and very little more isusually unavailable anyway.

A legitimate cardholder and any fraudster are in actuality two differentpeople and will behave in two different ways. They each will manifesttransactions that will often reflect those differences. Fraudsters havefar different agendas and purposes in their transactions than dolegitimate cardholders, and so that can cast spotlights. But sometimeslegitimate cardholders innocently generate transactions that look like afraudster was responsible, and sometimes fraudsters succeed at being awolf-in-sheep's-clothing. Getting that wrong will produce falsepositives and false negatives in an otherwise well performing fraudmanagement payment system.

In the vast majority of cases, the legitimate cardholders will becompletely unknown and anonymous to the fraudster and bits of knowledgeabout social security numbers, CVV numbers, phone numbers, zipcodes, andpasswords will be impossible or expensive to obtain. And so they will beeffective as a security factor that will stop fraud. But fraudsters thatare socially close to the legitimate cardholder can have those bitswithin easy reach.

Occasionally each legitimate cardholder will step way out-of-characterand generate a transaction that looks suspicious or downrightfraudulent. Often such transactions can be forecast by previous suchoutbursts that they or their peers engaged in.

Embodiments of the present invention generate a population of virtualsmart agents corresponding to every cardholder, merchant, and device IDthat hinted at during modeling and training. Each smart agent is nothingmore than a pigeonhole and summation of various aspects of everytransaction in a real-time profile of less than ninety days and along-term profile of transactions older than ninety days. Actors andentities are built of no more than the attributes the express in eachtransaction. In fact, smart agents themselves take no action on theirown and are not capable. They are merely attributes, descriptors, whatcan be seen on the surface.

In this description here, smart agent embodiments of the presentinvention are nothing like the smart agents, intelligent agents, orsoftware agents described by artificial intelligence researchers in theLiterature.

The collecting, storing, and accessing of the transactional attributesof millions of smart agents engaging in billions of transactions is achallenge for conventional hardware platforms. Our earlier filed UnitedStates patent applications provide practical details on how a workingsystem platform to host our smart agents can be built and programmed.For example, U.S. patent application Ser. No. 14/521,386, filed 22 Oct.2014, and titled, Reducing False Positives with Transaction BehaviorForecasting; and also Ser. No. 14/520,361, filed 22 Oct. 2014, andtitled Fast Access Vectors In Real-Time Behavioral Profiling.

At the most elementary level, each smart agent begins as a list oftransactions for the corresponding actor or entity that were sorted fromthe general inflow of transactions. Each list becomes a profile andvarious velocity counts are pre-computed to make later real-time accessmore efficient and less burdensome. For example, a running total of thetransactions is maintained as an attribute datapoint, as are theminimums, maximums, and averages of the dollar amounts of all long termor short term transactions. The frequency of those transactions peratomic time interval is also preprocessed and instantly available in anytime interval. The frequencies of zipcodes involved in transactions isanother velocity count. The radius of those zipcodes around thecardholders home zipcode can be another velocity count from apre-computation.

So, each smart agent is a two-dimensional thing in virtual memoryexpressing attributes and velocity counts in its width and timeintervals and constituent transactions in its length. As time moves tothe next interval, the time intervals in every smart agent areeffectively shift registered ad pushed down.

The smart agent profiles can be data mined for purchasing patterns,e.g., airline ticket purchases are always associated with car rentalsand hotel charges. Concert ticket venues are associated with high endrestaurants and bar bills. These patterns can form behavioral clustersuseful in forecasting.

FIG. 1 represents an artificial intelligence fraud management solutionembodiment of the present invention, and is referred to herein by thegeneral reference numeral 100. Such solution 100 comprises an expertprogrammer development system 102 for building trainable general paymentfraud models 104 that integrate several, but otherwise blank artificialintelligence classifiers, e.g., neural networks, case based reasoning,decision trees, genetic algorithms, fuzzy logic, and rules andconstraints. These are further integrated by the expert programmersinputs 106 and development system 102 to include smart agents andassociated real-time profiling, recursive profiles, and long-termprofiles.

The trainable general payment fraud models 104 are trained withsupervised and unsupervised data 108 and 110 to produce a trainedpayment fraud model 112. For example, accountholder and historicaltransaction data. This trained payment fraud model 112 can then be soldas a computer program library or a software-as-a-service applied paymentfraud model. This then is applied by a commercial client in an appliedpayment fraud model 114 to process real-time transactions andauthorization requests 116 for fraud scores. The applied payment fraudmodel 114 is further able to accept a client tuning input 120.

FIG. 2A represents an application development system (ADS) embodiment ofthe present invention for fraud-based target applications, and isreferred to herein by the general reference numeral 200. Such is theequivalent of development system 102 in FIG. 1 . ADS 200 comprises anumber of computer program development libraries and tools that highlyskilled artificial intelligence scientists and artisans can manipulateinto a novel combination of complementary technologies. In an earlyembodiment of ADS 200 we combined a goal-oriented multi-agent technology201 for building run-time smart agents, a constraint-based programmingtool 202, a fuzzy logic tool 203, a library of genetic algorithms 205, asimulation and planning tool 206, a library of business rules andconstraints 207, case-based reasoning and learning tools 208, areal-time interpreted language compiler 209, a C++ code generator 210, alibrary of data compression algorithms 211, and a database connectivitytool 212.

The highly skilled artificial intelligence scientists and artisansprovide graphical and textual inputs 214 and 216 to a user interface(UI) 218 to manipulate the novel combinations of complementarytechnologies into a declarative application 220.

Declarative application 214 is molded, modeled, simulated, tested,corrected, massaged, and unified into a fully functional hybridcombination that is eventually output as a trainable general paymentfraud model 222. Such is the equivalent of trainable general paymentfraud model 104 in FIG. 1 .

It was discovered by the present inventor that the highly skilledartificial intelligence scientists and artisans that could manipulatethe complementary technologies mentioned into specific novelcombinations required exceedingly talented individuals that were inshort supply.

It was, however, possible to build and to prove out that ADS 200 as acompiler would produce trainable general payment fraud models 220, andthese were more commercially attractive and viable.

After many years of experimental use and trials, ADS 200 was constantlyimproved and updated. Database connectivity tool 212, for example, triedto press conventional databases into service during run-time to receiveand supply datapoints in real-time transaction service. It turned out noconventional databases were up to it.

At the present, an updated and improved ADS shown with general referencenumeral 230 in FIG. 2B is providing better and more useful trainablegeneral payment fraud models.

ADS 230 is the most recent equivalent of development system 102 in FIG.1 . ADS 230 assembles together a different mix of computer programdevelopment libraries and tools for the highly skilled artificialintelligence scientists and artisans to manipulate into a new hybrid ofstill complementary technologies.

In this later embodiment, ADS 230, we combined an improved smart-agenttechnology 231 for building run-time smart agents that are essentiallyonly silhouettes of their constituent attributes. These attributes arethemselves smart-agents with second level attributes and values that areable to “call” on real-time profilers, recursive profilers, and longterm profilers. Such profilers can provide comparative assessments ofeach datapoint with the new information flowing in during run-time. Ingeneral, “real-time” profiles include transactions less than ninety daysold. Long-term profiles accumulate transactions over ninety days old. Insome applications, the line of demarcation was forty-five days, due todata storage concerns. Recursive profiles are those that inspect what anentity's peers have done in comparison.

The three profilers can thereafter throw exceptions in each datapointcategory, and the number and quality of exceptions thrown across thebreadth of the attributes then incoming will produce a fraud risk scorethat generally raises exponentially with that number of exceptionsthrown. Oracle explains in C++ programming that exceptions provide a wayto react to exceptional circumstances (like fraud suspected) in programsby transferring control to special functions called “handlers”.

At the top level of a hierarchy of smart agents linked by theirattributes are the smart agents for the independent actors who canengage in fraud. In a payment fraud model, that top level will be thecardholders as tracked by the cardholder account numbers reported intransaction data.

These top level smart agents can call on a moving 15-minute window filethat has all the transactions reported to the system in the last15-minutes. Too much activity in 15-minutes by any one actor is causefor further inspection and analysis.

ADS 230 further comprises a constraint-based programming tool 232, afuzzy logic tool 233, a library of advanced neural network algorithms234, a library of genetic algorithms 235, a simulation and planning tool236, a library of business rules and constraints 237, case-basedreasoning and learning tools 238, a data mining tool 239, a text miningtool 240, a statistical tool 241 and a real-time file system 242.

The real-time file system 242 is a simple organization of attributevalues for smart agent profilers that allow quick, direct file access.

The highly skilled artificial intelligence scientists and artisansprovide graphical and textual inputs 244 and 246 to a user interface(UI) 248 to manipulate the novel combinations of complementarytechnologies into a declarative application 250.

Declarative application 250 is also molded, modeled, simulated, tested,corrected, massaged, and unified into a fully functional hybridcombination that is eventually output as a trainable general paymentfraud model 252. Such is also the more improved equivalent of trainablegeneral payment fraud model 104 in FIG. 1 .

The constraint-based programming tools 202 and 232 limit the number ofpossible solutions. Complex conditions with complex constraints cancreate an exponential number of possibilities. Fixed constraints, fuzzyconstraints, and polynomials are combined in cases where no exactsolution exists. New constraints can be added or deleted at any time.The dynamic nature of the tool makes possible real-time simulations ofcomplex plans, schedules, and diagnostics.

The constraint-based programming tools are written as a very completelanguage in its own right. It can integrate a variety of variables andconstraints, as in the following Table.

Variables: Real, with integer values, enumerated , sets, matrices andvectors, intervals, fuzzy subsets, and more. Arithmetic Constraints: =,+, −, *, /, /=, >, <, >=, <=, interval addition, interval subtraction,interval multiplication and interval division, max, min, intersection,union, exponential, modulo, logarithm , and more. Temporal (Allen)Constraints: Control allows you to write any temporal constraintsincluding Equal, N-equal, Before, After, Meets, Overlaps, Starts ,Finishes, and personal temporal operators such as Disjoint, Started-by,Overlapped-by , Met-by, Finished-by, and more. Boolean Constraints: Or,And, Not, XOR, Implication, Equivalence Symbolic Constraints: Inclusion.Union, Intersection, Cardinality, Belonging, and more.

The constraint-based programming tools 202 and 232 include a library ofways to arrange subsystems, constraints and variables. Controlstrategies and operators can be defined within or outside usingtraditional languages such as C, C++, FORTRAN, etc. Programmers do nothave to learn a new language, and provides an easy-to-master programminginterface by providing an in-depth library and traditional tools.

Fuzzy logic tools 203 and 233 recognize many of the largest problems inorganizations cannot be solved by simple yes/no or black/white answers.Sometimes the answers need to be rendered in shades of gray. This iswhere fuzzy logic proves useful. Fuzzy logic handles imprecision oruncertainty by attaching various measures of credibility topropositions. Such technology enables clear definitions of problemswhere only imperfect or partial knowledge exists, such as when a goal isapproximate, or between all and nothing. In fraud applications, this canequate to the answer being “maybe” fraud is present, and thecircumstances warrant further investigation.

Tools 204 and 234 provides twelve different neural network algorithms,including Back propagation, Kohonen, Art, Fuzzy ART, RBF and others, inan easy-to-implement C++ library. Neural networks are algorithmicsystems that interpret historical data to identify trends and patternsagainst which to compare subject cases. The libraries of advanced neuralnetwork algorithms can be used to translate databases to neurons withoutuser intervention, and can significantly accelerate the speed ofconvergence over conventional back propagation, and other neural networkalgorithms. The present invention's neural net is incremental andadaptive, allowing the size of the output classes to change dynamically.An expert mode in the advanced application development tool suiteprovides a library of twelve different neural network models for use incustomization.

Neural networks can detect trends and patterns other computer techniquesare unable to. Neurons work collaboratively to solve the definedproblem. Neural networks are adept in areas that resemble humanreasoning, making them well suited to solve problems that involvepattern recognition and forecasting. Thus, neural networks can solveproblems that are too complex to solve with conventional technologies.

Libraries 205 and 235 include genetic algorithms to initialize apopulation of elements where each element represents one possible set ofinitial attributes. Once the models are designed based on theseelements, a blind test performance is used as the evaluation function.The genetic algorithm will be then used to select the attributes thatwill be used in the design of the final models. The componentparticularly helps when multiple outcomes may achieve the samepredefined goal. For instance, if a problem can be solved profitably inany number of ways, genetic algorithms can determine the most profitableway.

Simulation and planning tool 206 can be used during model designs tocheck the performances of the models.

Business rules and constraints 207 provides a central storage of bestpractices and know how that can be applied to current situations. Rulesand constraints can continue to be captured over the course of years,applying them to the resolution of current problems.

Case-based reasoning 208 uses past experiences in solving similarproblems to solve new problems. Each case is a history outlined by itsdescriptors and the steps that lead to a particular outcome. Previouscases and outcomes are stored and organized in a database. When asimilar situation presents itself again later, a number of solutionsthat can be tried, or should be avoided, will present immediately.Solutions to complex problems can avoid delays in calculations andprocessing, and be offered very quickly.

Language interpretation tool 209 provides a constant feedback andevaluation loop. Intermediary Code generator 210 translates DeclarativeApplications 214 designed by any expert into a faster program 230 for atarget host 232.

During run-time, real time transaction data 234 can be received andprocessed according to declarative application 214 by target host 232with the objective of producing run-time fraud detections 236. Forexample, in a payments application card payments transaction requestsfrom merchants can be analyzed for fraud activity. In healthcareapplications the reports and compensation demands of providers can bescanned for fraud. And in insider trader applications individual traderscan be scrutinized for special knowledge that could have illegallyhelped them profit from stock market moves.

File compression algorithms library 211 helps preserve network bandwidthby compressing data at the user's discretion.

FIG. 3 represents a model training embodiment of the present invention,and is referred to herein by the general reference numeral 300. Modeltrainer 300 can be fed a very complete, comprehensive transactionhistory 302 that can include both supervised and unsupervised data. Afilter 304 actually comprises many individual filters that can beselected by a switch 306. Each filter can separate the supervised andunsupervised data from comprehensive transaction history 302 into astream correlated by some factor in each transaction.

The resulting filtered training data will produce a trained model thatwill be highly specific and sensitive to fraud in the filtered category.When two or more of these specialized trained models used in parallelare combined in other embodiments of the present invention they willexcel in real-time cross-channel fraud prevention.

In a payment card fraud embodiment of the present invention, duringmodel training, the filters 304 are selected by switch 306 to filterthrough dozens of different channels, one-at-a-time for each real-time,risk-scoring channel model that will be needed and later run together inparallel. For example, such channels can include channel transactionsand authorization requests for card-not-present, card-present, high riskmerchant category code (MCC), micro-merchant, small and medium sizedenterprise (SME) finance, international, domestic, debit card, creditcard, contactless, or other groupings or financial networks.

The objective here is to detect a first hint of fraud in any channel fora particular accountholder, and to “warn” all the other real-time,risk-scoring channel models that something suspicious is occurring withthis accountholder. In one embodiment, the warning comprises an updatein the nature of feedback to the real-time, long-term, and recursiveprofiles for that accountholder so that all the real-time, risk-scoringchannel models step up together increment the risk thresholds thataccountholder will be permitted. More hits in more channels shouldtranslate to an immediate alert and shutdown of all the affectedaccountholders accounts.

Competitive prior art products make themselves immediately unattractiveand difficult to use by insisting that training data suit someparticular format. In reality, training data will come from multiple,disparate, dissimilar, incongruent, proprietary data sourcessimultaneously. A data cleanup process 308 is therefore important toinclude here to do coherence analysis, and to harmonize, unify,error-correct, and otherwise standardize the heterogeneous data comingfrom transaction data history 302. The commercial advantage of that is awide range of clients with many different channels can provide theirtransaction data histories 302 in whatever formats and file structuresare natural to the provider. It is expected that embodiments of thepresent invention will find applications in financial services, defenseand cyber security, health and public service, technology, mobilepayments, retail and e-commerce, marketing and social networking, andothers.

A data enrichment process 310 computes interpolations and extrapolationsof the training data, and expands it out to as many as two-hundred andfifty datapoints from the forty or so relevant datapoints originallyprovided by transaction data history 302.

A trainable fraud model 312 (like that illustrated in FIG. 1 astrainable general payment fraud model 104) is trained into a channelspecialized fraud model 314, and each are the equivalent of the appliedfraud model 114 illustrated in FIG. 1 . The selected training resultsfrom the switch 306 setting and the filters 304 then existing.

Channel specialized fraud models 314 can be sold individually or inassorted varieties to clients, and then imported by them as a commercialsoftware app, product, or library.

A variety of selected applied fraud models 316-323 represent the appliedfraud models 114 that result with different settings of filter switch306. Each selected applied fraud model 314 will include a hybrid ofartificial intelligence classification models represented by models330-332 and a smart-agent population build 334 with a corresponding setof real-time, recursive, and long-term profilers 336. The enriched datafrom data enrichment process 310 is fully represented in the smart-agentpopulation build 334 and profilers 336.

FIG. 4 represents a real-time payment fraud management system 400 likethat illustrated in FIG. 1 as applied payment fraud model 114. A rawtransaction separator 402 filters through the forty or so data itemsthat are relevant to the computing of a fraud score. A process 404 addstimestamps to these relevant datapoints and passes them in parallel to aselected applied fraud model 406. This is equivalent to a selected oneof applied fraud models 316-323 in FIG. 3 and applied payment fraudmodel 114 in FIG. 1 .

During a session in which the time-stamped relevant transaction dataflows in, a set of classification models 408-410 operate independentlyaccording to their respective natures. A population of smart agents 412and profilers 414 also operate on the time-stamped relevant transactiondata inflows. Each new line of time-stamped relevant transaction datawill trigger an update 416 of the respective profilers 414. Theirattributes 418 are provided to the population of smart agents 412.

The classification models 408-410 and population of smart agents 412 andprofilers 414 all each produce an independent and separate vote or fraudscore 420-423 on the same line of time-stamped relevant transactiondata. A weighted summation processor 424 responds to client tunings 426to output a final fraud score 428.

FIG. 5 represents a smart agent process 500 in an embodiment of thepresent invention. For example, these would include the smart agentpopulation build 334 and profiles 336 in FIG. 3 and smart agents 412 andprofiles 414 in FIG. 4 . A series of payment card transactions arrivingin real-time in an authorization request message is represented here bya random instantaneous incoming real-time transaction record 502.

Such record 502 begins with an account number 504. It includesattributes A1-A9 numbered 505-513 here. These attributes, in the contextof a payment card fraud application would include datapoints for cardtype, transaction type, merchant name, merchant category code (MCC),transaction amount, time of transaction, time of processing, etc.

Account number 504 in record 502 will issue a trigger 516 to acorresponding smart agent 520 to present itself for action. Smart agent520 is simply a constitution of its attributes, again A1-A9 and numbered521-529 in FIG. 5 . These attributes A1-A9 521-529 are merely pointersto attribute smart agents. Two of these, one for A1 and one for A2, arerepresented in FIG. 5 . Here, an A1 smart agent 530 and an A2 smartagent 540. These are respectively called into action by triggers 532 and542.

A1 smart agent 530 and A2 smart agent 540 will respectively fetchcorrespondent attributes 505 and 506 from incoming real-time transactionrecord 502. Smart agents for A3-A9 make similar fetches to themselves inparallel. They are not shown here to reduce the clutter for FIG. 5 thatwould otherwise result.

Each attribute smart agent like 530 and 540 will include or access acorresponding profile datapoint 536 and 546. This is actually asimplification of the three kinds of profiles 336 (FIG. 3 ) that wereoriginally built during training and updated in update 416 (FIG. 4 ).These profiles are used to track what is “normal” behavior for theparticular account number for the particular single attribute.

For example, if one of the attributes reports the MCC's of the merchantsand another reports the transaction amounts, then if the long-term,recursive, and real time profiles for a particular account number xshows a pattern of purchases at the local Home Depot and Costco thataverage $100-$300, then an instantaneous incoming real-time transactionrecord 502 that reports another $200 purchase at the local Costco willraise no alarms. But a sudden, unique, inexplicable purchase for $1250at a New York Jeweler will and should throw more than one exception.

Each attribute smart agent like 530 and 540 will further include acomparator 537 and 547 that will be able to compare the correspondingattribute in the instantaneous incoming real-time transaction record 502for account number x with the same attributes held by the profiles forthe same account. Comparators 537 and 547 should accept some slack, butnot too much. Each can throw an exception 538 and 548, as can thecomparators in all the other attribute smart agents. It may be usefulfor the exceptions to be a fuzzy value, e.g., an analog signal 0.0 to1.0. Or it could be a simple binary one or zero. What sort of excursionsshould trigger an exception is preferably adjustable, for example withclient tunings 426 in FIG. 4 .

These exceptions are collected by a smart agent risk algorithm 550. Onedeviation or exception thrown on any one attribute being “abnormal” canbe tolerated if not too egregious. But two or more should be weightedmore than just the simple sum, e.g., (1+1)^(n)=2^(n) instead of simply1+1=2. The product is output as a smart agent risk assessment 552. Thisoutput is the equivalent of independent and separate vote or fraud score423 in FIG. 4 .

FIG. 6 represents a most recent 15-minute transaction velocity counter600, in an embodiment of the present invention. It receives the samekind of real-time transaction data inputs as were described inconnection with FIG. 4 as raw transaction data 402 and FIG. 5 as records502. A raw transaction record 602 includes a hundred or so datapoints.About forty of those datapoints are relevant to fraud detection anidentified in FIG. 6 as reported transaction data 604.

The reported transaction data 604 arrive in a time series and randomlyinvolve a variety of active account numbers. But, let's say the mostcurrent reported transaction data 604 with a time age of 0:00 concerns aparticular account number x. That fills a register 606.

Earlier arriving reported transaction data 604 build a transactiontime-series stack 608. FIG. 6 arbitrarily identifies the respective agesof members of transaction time-series stack 608 with example ages 0:73,1:16, 3:11, 6:17, 10:52, 11:05, 13:41, and 14:58. Those aged more than15-minutes are simply identified with ages “>15:00”. This embodiment ofthe present invention is concerned with only the last 15-minutes worthof transactions. As time passes transaction time-series stack 608 pushesdown.

The key concern is whether account number x has been involved in anyother transactions in the last 15-minutes. A search process 610 acceptsa search key from register 606 and reports any matches in the most15-minute window with an account activity velocity counter 612. Too muchvery recent activity can hint there is a fraudster at work, or it may benormal behavior. A trigger 614 is issued that can be fed to anadditional attribute smart agent that is included with attributes smartagents 530 and 540 and the others in parallel. Exception from this newaccount activity velocity counter smart agent is input to smart agentrisk algorithm 550 in FIG. 5 .

FIG. 7 represents a cross-channel payment fraud management embodiment ofthe present invention, and is referred to herein by general referencenumeral 700.

Real-time cross-channel monitoring uses track cross channel and crossproduct patterns to cross pollinate information for more accuratedecisions. Such track not only the channel where the fraud ends but alsothe initiating channel to deliver a holistic fraud monitoring. Astandalone internet banking fraud solution will allow a transaction ifit is within its limits, however if core banking is in picture, then itwill stop this transaction, as we additionally know the source offunding of this account (which mostly in missing in internet banking).

In FIG. 3 , a variety of selected applied fraud models 316-323 representthe applied fraud models 114 that result with different settings offilter switch 306. A real-time cross-channel monitoring payment networkserver can be constructed by running several of these selected appliedfraud models 316-323 in parallel.

FIG. 7 represents a real-time cross-channel monitoring payment networkserver 700, in an embodiment of the present invention. Each customer oraccountholder of a financial institution can have several very differentkinds of accounts and use them in very different transactional channels.For example, card-present, domestic, credit card, contactless, and highrisk MCC channels. So in order for a cross-channel fraud detectionsystem to work at its best, all the transaction data from all thechannels is funneled into one pipe for analysis.

Real-time transactions and authorization requests data is input andstripped of irrelevant datapoints by a process 702. The resultingrelevant data is time-stamped in a process 704. The 15-minute vectorprocess of FIG. 6 may be engaged at this point in background. A bus 706feeds the data in parallel line-by-line, e.g., to a selected appliedfraud channel model for card present 708, domestic 709, credit 710,contactless 711, and high risk MCC 712. Each can pop an exception to thecurrent line input data with an evaluation flag or score 718-722. Theinvolved accountholder is understood.

These exceptions are collected and analyzed by a process 724 that canissue warning feedback for the profiles maintained for eachaccountholder. Each selected applied fraud channel model 708-712 sharesrisk information about particular accountholders with the other selectedapplied fraud models 708-712. A suspicious or outright fraudulenttransaction detected by a first selected applied fraud channel model708-712 for a particular customer in one channel is cause for a riskadjustment for that same customer in all the other applied fraud modelsfor the other channels.

Exceptions 718-722 to an instant transactions on bus 706 trigger anautomated examination of the customer or accountholder involved in aprofiling process 724, especially with respect to the 15-minute vectorsand activity in the other channels for the instant accountholder. Aclient tuning input 726 will affect an ultimate accountholder fraudscoring output 728, e.g., by changing the respective risk thresholds forgenuine-suspicious-fraudulent.

A corresponding set of warning triggers 73-734 is fed back to all theapplied fraud channel models 708-712. The compromised accountholderresult 728 can be expected to be a highly accurate and early protectionwarning.

In general, a process for cross-channel financial fraud protectioncomprises training a variety of real-time, risk-scoring fraud modelswith training data selected for each from a common transaction historyto specialize each member in the monitoring of a selected channel. Thenarranging the variety of real-time, risk-scoring fraud models after thetraining into a parallel arrangement so that all receive a mixed channelflow of real-time transaction data or authorization requests. Theparallel arrangement of diversity trained real-time, risk-scoring fraudmodels is hosted on a network server platform for real-time risk scoringof the mixed channel flow of real-time transaction data or authorizationrequests. Risk thresholds are immediately updated for particularaccountholders in every member of the parallel arrangement of diversitytrained real-time, risk-scoring fraud models when any one of themdetects a suspicious or outright fraudulent transaction data orauthorization request for the accountholder. So, a compromise, takeover,or suspicious activity of the accountholder's account in any one channelis thereafter prevented from being employed to perpetrate a fraud in anyof the other channels.

Such process for cross-channel financial fraud protection can furthercomprise steps for building a population of real-time and a long-termand a recursive profile for each the accountholder in each thereal-time, risk-scoring fraud models. Then during real-time use,maintaining and updating the real-time, long-term, and recursiveprofiles for each accountholder in each and all of the real-time,risk-scoring fraud models with newly arriving data. If during real-timeuse a compromise, takeover, or suspicious activity of theaccountholder's account in any one channel is detected, then updatingthe real-time, long-term, and recursive profiles for each accountholderin each and all of the other real-time, risk-scoring fraud models tofurther include an elevated risk flag. The elevated risk flags areincluded in a final risk score calculation 728 for the currenttransaction or authorization request.

The 15-minute vectors described in FIG. 6 are a way to cross pollenaterisks calculated in one channel with the others. The 15-minute vectorscan represent an amalgamation of transactions in all channels, orchannel-by channel. Once a 15-minute vector has aged, it can be shiftedinto a 30-minute vector, a one-hour vector, and a whole day vector by asimple shift register means. These vectors represent velocity countsthat can be very effective in catching fraud as it is occurring in realtime.

In every case, embodiments of the present invention include adaptivelearning that combines three learning techniques to evolve theartificial intelligence classifiers, e.g., 408-414. First is theautomatic creation of profiles, or smart-agents, from historical data,e.g., long-term profiling. See FIG. 3 . The second is real-timelearning, e.g., enrichment of the smart-agents based on real-timeactivities. See FIG. 4 . The third is adaptive learning carried byincremental learning algorithms. See FIG. 7 .

For example, two years of historical credit card transactions dataneeded over twenty seven terabytes of database storage. A smart-agent iscreated for each individual card in that data in a first learning step,e.g., long-term profiling. Each profile is created from the card'sactivities and transactions that took place over the two year period.Each profile for each smart-agent comprises knowledge extractedfield-by-field, such as merchant category code (MCC), time, amount foran mcc over a period of time, recursive profiling, zip codes, type ofmerchant, monthly aggregation, activity during the week, weekend,holidays, Card not present (CNP) versus card present (CP), domesticversus cross-border, etc. this profile will highlights all the normalactivities of the smart-agent (specific card).

Smart-agent technology has been observed to outperform conventionalartificial and machine learning technologies. For example, data miningtechnology creates a decision tree from historical data. When historicaldata is applied to data mining algorithms, the result is a decisiontree. Decision tree logic can be used to detect fraud in credit cardtransactions. But, there are limits to data mining technology. The firstis data mining can only learn from historical data and it generatesdecision tree logic that applies to all the cardholders as a group. Thesame logic is applied to all cardholders even though each merchant mayhave a unique activity pattern and each cardholder may have a uniquespending pattern.

A second limitation is decision trees become immediately outdated. Fraudschemes continue to evolve, but the decision tree was fixed withexamples that do not contain new fraud schemes. So stagnant non-adaptingdecision trees will fail to detect new types of fraud, and do not havethe ability to respond to the highly volatile nature of fraud.

Another technology widely used is “business rules” which requires actualbusiness experts to write the rules, e.g., if-then-else logic. The mostimportant limitations here are that the business rules require writingrules that are supposed to work for whole categories of customers. Thisrequires the population to be sliced into many categories (students,seniors, zip codes, etc.) and asks the experts to provide rules thatapply to all the cardholders of a category.

How could the US population be sliced? Even worse, why would all thecardholders in a category all have the same behavior? It is plain thatbusiness rules logic has built-in limits, and poor detection rates withhigh false positives. What should also be obvious is the rules areoutdated as soon as they are written because conventionally they don'tadapt at all to new fraud schemes or data shifts.

Neural network technology also limits, it uses historical data to createa matrix weights for future data classification. The Neural network willuse as input (first layer) the historical transactions and theclassification for fraud or not as an output). Neural Networks onlylearn from past transactions and cannot detect any new fraud schemes(that arise daily) if the neural network was not re-trained with thistype of fraud. Same as data mining and business rules the classificationlogic learned from the historical data will be applied to all thecardholders even though each merchant has a unique activity pattern andeach cardholder has a unique spending pattern.

Another limit is the classification logic learned from historical datais outdated the same day of its use because the fraud schemes changesbut since the neural network did not learn with examples that containthis new type of fraud schemes, it will fail to detect this new type offraud it lacks the ability to adapt to new fraud schemes and do not havethe ability to respond to the highly volatile nature of fraud.

Contrary to previous technologies, smart-agent technology learns thespecific behaviors of each cardholder and create a smart-agent thatfollow the behavior of each cardholder. Because it learns from eachactivity of a cardholder, the smart-agent updates the profiles and makeseffective changes at runtime. It is the only technology with an abilityto identify and stop, in real-time, previously unknown fraud schemes. Ithas the highest detection rate and lowest false positives because itseparately follows and learns the behaviors of each cardholder.

Smart-agents have a further advantage in data size reduction. Once, saytwenty-seven terabytes of historical data is transformed intosmart-agents, only 200-gigabytes is needed to represent twenty-sevenmillion distinct smart-agents corresponding to all the distinctcardholders.

Incremental learning technologies are embedded in the machine algorithmsand smart-agent technology to continually re-train from any falsepositives and negatives that occur along the way. Each corrects itselfto avoid repeating the same classification errors. Data mining logicincrementally changes the decision trees by creating a new link orupdating the existing links and weights. Neural networks update theweight matrix, and case based reasoning logic updates generic cases orcreates new ones. Smart-agents update their profiles by adjusting thenormal/abnormal thresholds, or by creating exceptions.

In real-time behavioral profiling by the smart-agents, both thereal-time and long-term engines require high speed transfers and lots ofprocessor attention. Conventional database systems cannot provide thetransfer speeds necessary, and the processing burdens cannot betolerated.

Embodiments of the present invention include a fast, low overhead,custom file format and storage engine designed to retrieve profiles inreal-time with a constant low load and save time. For example, theprofiles 336 built in FIG. 3 , and long-term, recursive, and real-timeprofiles 414 in FIG. 4 .

Referring now to FIG. 8 , a group of smart agent profiles is stored in acustom binary file 800 which starts with a meta-data section 802containing a profile definition, and a number of fixed size profileblocks, e.g., 804, 805, . . . 806 each containing the respectiveprofiles. Such profiles are individually reserved to and used by acorresponding smart agent, e.g., profile 536 and smart agent 530 in FIG.5 . Fast file access to the profiles is needed on the arrival of everytransaction 502. In FIG. 5 , account number 504 signals the particularsmart agents and profiles to access and that are required to provide asmart agent risk assessment 552 in real-time. For example, an approvalor a denial in response to an authorization request message.

FIG. 9 represents what's inside each such profile, e.g., a profile 900includes a meta-data 902 and a rolling list of vectors 904. Themeta-data 902 comprises the oldest one's time field 906, and a recordlength field 908. Transaction events are timestamped, recorded, andindexed by a specified atomic interval, e.g., ten minute intervals aretypical, which is six hundred seconds. Each vector points to a run ofprofile datapoints that all share the same time interval, e.g.,intervals 910-912. Some intervals will have no events, and therefor novectors 904. Here, all the time intervals less than ninety days old areconsidered by the real-time (RT) profiles. Ones older than that areamalgamated into the respective long-term (LT) profiles.

What was purchased and how long ago a transaction for a particularaccountholder occurred, and when their other recent transactionsoccurred can provide valuable insights into whether the transactions theaccountholder is presently engaging in are normal and in character, ordeviating. Forcing a fraud management and protection system to hunt aconventional database for every transaction a particular randomaccountholder engaged in is not practical. The accountholders'transactions must be pre-organized into their respective profiles sothey are always randomly available for instant calculations. How that ismade possible in embodiments of the present invention is illustratedhere in FIGS. 5, 6, and 8-10 .

FIG. 10 illustrates a virtual memory system 1000 in which a virtualaddress representation 1002 is translated into a physical memory address1004, and/or a disk block address 1006.

Profiling herein looks at events that occurred over a specific span oftime. Any vectors that were assigned to events older than that areretired and made available for re-assignment to new events as they areadded to the beginning of the list.

The following pseudo-code examples represent how smart agents (e.g.,412, 550) lookup profiles and make behavior deviation computations. Afirst step when a new transaction (e.g., 502) arrives is to find the oneprofile it should be directed to in the memory or filing system.

find_profile ( T: transaction, PT: Profile’s Type ) Begin  Extract thevalue from T for each key used in the routing logic for PT  Combine thevalues from each key into PK  Search for PK in the in-memory index  Iffound, load the profile in the file of type PT based on the indexedposition.  Else, this is a new element without a profile of type PT yet.End---------------------------------------------------------------------------------------------------------------

If the profile is not a new one, then it can be updated, otherwise a newone has to be created.

---------------------------------------------------------------------------------------------------------------update_profile ( T: transaction. PT: Profile’s Type ) Begin find_profile of type PT P associated to T  Deduce the timestamp tassociated to T  If P is empty, then add a new record based on theatomic interval for t  Else locate the record to update based on t   Ifthere is no record associated to t yet,   Then add a new record based onthe atomic interval for t  For each datapoint in the profile, update therecord with the values in T (by  increasing a count, sum, deducing a newminimum, maximum ...).  Save the update to disk End---------------------------------------------------------------------------------------------------------------compute_profile ( T: transaction, PT: Profile’s Type ) Begin update_profile P of type PT with T  Deduce the timestamp t associatedto T  For each datapoint DP in the profile,   Initialize the counter C  For each record R in the profile P    If the timestamp t associated toR belongs to the span of time for DP    Then update C with the value ofDB in the record R (by increasing a count, sum.     deducing a newminimum, maximum ...)   End For  End For  Return the values for eachcounter C End---------------------------------------------------------------------------------------------------------------compute_profile ( T: transaction, PT: Profile’s Type ) Begin update_profile P of type PT with T  Deduce the timestamp t associatedto T  For each datapoint DP in the profile.   Initialize the counter C  For each record R in the profile P    If the timestamp t associated toR belongs to the span of time for DP    Then update C with the value ofDB in the record R (by increasing a count, sum,     deducing a newminimum, maximum ...)   End For  End For  Return the values for eachcounter C End---------------------------------------------------------------------------------------------------------------

The entity's behavior in the instant transaction is then analyzed todetermine if the real-time (RT) behavior is out of the norm defined inthe corresponding long-term (LT) profile. If a threshold (T) isexceeded, the transaction risk score is incremented.

analyze_entity_behavior ( T: transaction ) Begin  Get the real-timeprofile RT by calling compute_profile( T, real-time )  Get the long-termprofile LT by calling compute_profile( T, long-term )  Analyze thebehavior of the entity by comparing its current behavior RT to its past behavior LT:  For each datapoint DP in the profile,   Compare thecurrent value in RT to the one in LT (by computing the ratio or  distance between the values).    If the ratio or distance is greaterthan the pre-defined threshold,    Then increase the risk associated tothe transaction T    Else decrease the risk associated to thetransaction T  End For  Return the global risk associated to thetransaction T End---------------------------------------------------------------------------------------------------------------

The entity's behavior in the instant transaction can further be analyzedto determine if its real-time (RT) behavior is out of the norm comparedto its peer groups. defined in the corresponding long-term (LT) profile.If a threshold (T) is exceeded, the transaction risk score isincremented.

Recursive profiling compares the transaction (T) to the entity's peersone at a time.

compare_entity_to_peers ( T: transaction ) Begin  Get the real-timeprofile RTe by calling compute_profile( T, real-time )  Get thelong-term profile LTe by calling compute_profile( T, long-term ) Analyze the behavior of the entity by comparing it to its peer groups: For each peer group associated to the entity   Get the real-timeprofile RTp of the peer: compute_profile( T, real-time )   Get thelong-term profile LTp of the peer: compute_profile( T, long-term )   Foreach datapoint DP in the profile,   Compare the current value in RTe andLTe to the ones in RTp and LTp (by   computing the ratio or distancebetween the values).    If the ratio or distance is greater than thepre-defined threshold,    Then increase the risk associated to thetransaction T    Else decrease the risk associated to the transaction T  End For  End For  Return the global risk associated to the transactionT End---------------------------------------------------------------------------------------------------------------

Each attribute inspection will either increase or decrease theassociated overall transaction risk. For example, a transaction with azipcode that is highly represented in the long term profile would reducerisk. A transaction amount in line with prior experiences would also bea reason to reduce risk. But an MCC datapoint that has never been seenbefore for this entity represents a high risk. (Unless it could beforecast or otherwise predicted.)

One or more datapoints in a transaction can be expanded with a velocitycount of how-many or how-much of the corresponding attributes haveoccurred over at least one different span of time intervals. Thevelocity counts are included in a calculation of the transaction risk.

Transaction risk is calculated datapoint-by-datapoint and includesvelocity count expansions. The datapoint values that exceed a normativepoint by a threshold value increment the transaction risk. Datapointvalues that do not exceed the threshold value cause the transaction riskto be decremented. A positive or negative bias value can be added thateffectively shifts the threshold values to sensitize or desensitize aparticular datapoint for subsequent transactions related to the sameentity. For example, when an airline expense is certain to be followedby a rental car or hotel expense in a far away city. The MCC's forrental car and hotel expenses are desensitized, as are datapoints formerchant locations in a corresponding far away city.

FIG. 11 illustrates an example of a profile 1100 that spans a number oftime intervals t₀ to t₈. Transactions, and therefore profiles normallyhave dozens of datapoints that either come directly from eachtransaction or that are computed from transactions for a single entityover a series of time intervals. A typical datapoint 1110 velocitycounts the number of events that have occurred in the last thirtyminutes (count 1112), the last six hours (count 1114), and the lasttwenty-four hours (count 1116). In this example, t₀ had one event, t₁had 3 events, t₂ had 2 events, t₃ had 3 events, t₄ had 2 events, t₅ had5 events, t₆ had 3 events, t₇ had one event, and t₈ had 2 events;therefore, t₂ count 1112=6, t₅ count 1114=16, and t₇ count 1116=20.These three counts, 1112-1116 provide their velocity count computationsin a simple and quick-to-fetch summation.

FIG. 12 illustrates a behavioral forecasting aspect of the presentinvention. A forecast model 1200 engages in a real-time analysis 1202,consults a learned past behavior 1204, and then makes a behavioralprediction 1206. For example, the real-time analysis 1202 includes aflight purchase for $1410.65, an auto pay for cable for $149.50, and ahotel for $2318.80 in a most recent event. It makes sense that thebooking and payment for a flight would be concomitant with a hotelexpense, both represent travel. Consulting the learned past behavior1204 reveals that transactions for flights and hotels has also beenaccompanied by a car rental. So an easy forecast for a car rental in thenear future is and easy and reasonable assumption to make in behavioralprediction 1206.

Normally, an out-of-character expense for a car rental would carry acertain base level of risk. But if it can be forecast one is coming, andit arrives, then the risk can reduced since it has been forecast and isexpected. Embodiments of the present invention therefore temporarilyreduce risk assessments in the future transactions whenever particularclasses and categories of expenses can be predicted or forecast.

In another example, a transaction to pay tuition at a local collegecould be expected to result in related expenses. So forecasts forbookstore purchases and ATM cash withdrawals at the college arereasonable. The bottom-line is fewer false positives will result.

FIG. 13 illustrates a forecasting example 1300. A smart agent profile1302 has several datapoint fields, field₁ through field_(n). Here weassume the first three datapoint fields are for the MCC, zipcode, andamount reported in a new transaction. Several transaction time intervalsspanning the calendar year include the months of January . . . December,and the Thanksgiving and Christmas seasons. In forecasting example 1300the occurrence of certain zip codes is nine for 94104, seven for 94105,and three for 94110. Transaction amounts range $5.80 to $274.50 with anaverage of $84.67 and a running total of $684.86.

A first transaction risk example 1304 is timestamped Dec. 5, 2013 andwas for an unknown grocery store in a known zipcode and for the averageamount. The risk score is thus plus, minus, minus for an overalllow-risk.

A second transaction risk example 1306 is also timestamped Dec. 5, 2013and was for a known grocery store in an unknown zipcode and for aboutthe average amount. The risk score is thus minus, plus, minus for anoverall low-risk.

A third transaction risk example 1306 is timestamped Dec. 5, 2013, andwas for an airline flight in an unknown, far away zipcode and for almostthree times the previous maximum amount. The risk score is thus tripleplus for an overall high-risk. But before the transaction is flagged assuspicious or fraudulent, other datapoints can be scrutinized.

Each datapoint field can be given a different weight in the computationin an overall risk score.

In a forecasting embodiment of the present invention, each datapointfield can be loaded during an earlier time interval with a positive ornegative bias to either sensitize or desensitize the category totransactions affecting particular datapoint fields in later timeintervals. The bias can be permanent, temporary, or decaying to none.

For example, if a customer calls in and gives a heads up they are goingto be traveling next month in France, then location datapoint fieldsthat detect locations in France in next month's time intervals can bedesensitized so that alone does not trigger a higher risk score. (Andmay be a “declined” response.)

Some transactions alone herald other similar or related ones will followin a time cluster, location cluster, and/or in an MCC category liketravel, do-it-yourself, moving, and even maternity. Still othertransactions that time cluster, location cluster, and/or share acategory are likely to reoccur in the future. So a historical record canprovide insights and comfort.

FIG. 14 represents the development, modeling, and operational aspects ofa single-platform risk and compliance embodiment of the presentinvention that depends on millions of smart agents and theircorresponding behavioral profiles. It represents an example of how userdevice identification (Device ID) and profiling is allied withaccountholder profiling and merchant profiling to provide athree-dimensional examination of the behaviors in the penumbra of everytransaction and authorization request. The development and modelingaspects are referred to herein by the general reference numeral 1400.The operational aspects are referred to herein by the general referencenumeral 1402. In other words, compile-time and run-time.

The intended customers of embodiments of the present invention arefinancial institutions who suffer attempts by fraudsters at paymenttransaction fraud and need fully automated real-time protection. Suchcustomers provide the full database dossiers 1404 that they keep ontheir authorized merchants, the user devices employed by theiraccountholders, and historical transaction data. Such data is requiredto be accommodated in any format, volume, or source by an applicationdevelopment system and compiler (ADSC) 1406. ADSC 1406 assists expertprogrammers to use a dozen artificial intelligence and classificationtechnologies 1408 they incorporate into a variety of fraud models 1410.This process is more fully described in U.S. patent application Ser. No.14/514,381, filed Oct. 15, 2014 and titled, ARTIFICIAL INTELLIGENCEFRAUD MANAGEMENT SOLUTION. Such is fully incorporated herein byreference.

One or more trained fraud models 1412 are delivered as a commercialproduct or service to a single platform risk and compliance server witha real-time scoring engine 1414 for real-time multi-layered riskmanagement. In one perspective, trained models 1412 can be viewed asefficient and compact distillations of databases 1404, e.g., a 100:1reduction. These distillations are easier to store, deploy, and afford.

During operation, real-time scoring engine 1414 provides device ID andclickstream analytics, real-time smart agent profiling, link analysisand peer comparison for merchant/internal fraud detection, real-timecross-channel fraud prevention, real-time data breach detection andidentification device ID and clickstream profiling for network/deviceprotection.

A real-time smart agent profiling engine 1416 receives behavioraldigests of the latest transactions 1418 and uses them to update threepopulations of profiles 1420-1422. Specifically, a population of cardprofiles 1420, a population of merchant profiles 1421, and a populationof device profiles 1422 all originally generated by ADSC 1406 andincluded in the trained models 1412. These are all randomly andindividually consulted in real-time by smart agent profiling engine 1416to understand what is “normal” for a particular card, merchant, and userdevice.

Real-time smart agent profiling engine 1416 accepts customer transactiondata and scores each line. Such scores are in accordance with businessrules provided by a business rules management system (BRMS) 1424 and anyadaptive updates 1426 needed to the original set of models 1410 producedby artificial intelligence technologies and classifiers 1408. Aweb-based case management system 1428 uses false positives and falsenegatives to tighten up models 1410. These are periodically used toremotely update models 1412.

In general smart agent process embodiments of the present inventiongenerate a population of smart agent profiles by data mining ofhistorical transaction data. A corresponding number of entitiesresponsible for each transaction are sorted and each are paired with anewly minted smart agent profile. Each smart agent profile so generatedis modelled to collect and list individual and expanded attributes ofsaid transactions in one column dimension and by time interval series inanother row dimension. Each smart agent profile is stored in a fileaccess system of a network server platform.

Each newly arriving transaction record is compared and contrastedattribute-by-attribute with the time interval series of attributesarchived in its paired smart agent profile, and each such comparison andcontrast incrementally increases or decreases a computed fraud riskscore. The computed fraud risk score is thereafter output as adetermination of whether the newly arriving transaction recordrepresents a genuine transaction, a suspicious transaction, or afraudulent transaction. Or may be just OK-bad, or a fuzzy score between0 . . . 1.

Each time interval series can be partitioned or divided in its rowdimension into a real-time part and a long-term part to separatelypre-compute from the real-time part and the long-term part a velocitycount and statistics of said individual and expanded attributes. Thenewly arriving transaction record is then compared item-by-item torelevant items in each said real-time part and long-term part, andthereby determines if each item represents known behavior or unknownbehavior.

Each newly arriving transaction record is inspected to see if the entityit represents has not yet been paired to a smart agent profile, and ifnot then generating and pairing a newly minted smart agent profile forit.

In another embodiment, three populations of smart agent profiles aregenerated by data mining the historical transaction data. Acorresponding number of cardholder, merchant, and identified deviceentities involved in each transaction are sorted and each are pairedwith a newly minted smart agent profile. Then, each newly arrivingtransaction record is compared and contrasted attribute-by-attributewith the time interval series of attributes archived in the smart agentprofiles paired with the particular cardholder, and with the particularmerchant, and with the particular identified device (Device ID), andeach such comparison and contrast incrementally increases or decreases acomputed overall fraud risk score. See our U.S. patent application Ser.No. 14/517,863, filed 19 Oct. 2014, and titled User Device Profiling InTransaction Authentications, for details on the Device ID technology wehave in mind here.

In general, commercial messaging embodiments of the present inventionare implemented as a software-as-a-service (SaaS) applications onnetwork servers. The clickstream behaviors of online consumers arecollected in real-time while the consumers are online shopping orsurfing. The clickstream behaviors are copied to the SaaS from thevisited websites that subscribe to such service.

Referring now to FIG. 15 , a software-as-a-service (SaaS) 1500 is builtto run as an application on a network server 1502. Clickstream behaviordata 1504-1509 corresponds to numerous online consumers. The data arecollected in real-time while the consumers are online shopping orsurfing at a variety of independent and unrelated commercial websites.Each of these commercial websites has its own merchant transactionserver 1512-1517 that is extended to accumulate and forward clickstreamsuch behavior data. The clickstream behaviors 1504-1509 are copied tothe SaaS 1500 from the visited websites that subscribe to such service.

The context for ads can be used to identify specific audiences. Forexample, an ad for a hotel can be offered for display if the usercontext is travel. However, an ad for wine is not appropriate on awebsite for recovering alcoholics, even though the ad and the content ofthe website are related to the context, albeit in a negative way. Thecontext and the positive direction of the context is to be understood tomake for an effective SaaS service.

A thesaurus-based contextual analysis can be used to filter the content.E.g., extracting the main idea of the content by determining thecontexts in which words in the content are used. A thesaurus is builtinto word-context database and stored in database 1520.

Contextual analysis is used in embodiments of the present invention toevaluate the appropriateness of a particular site, so the main idea ofthe site's content can be extracted. The information extraction is atext process that locates a specific set of relevant items in the webpage document.

Contextual analysis and concept extraction can automate a categorizationand cross-referencing of information by using the thesaurus. By usingcontextual analysis, smart analytics processors can artificially“understand” the main idea of most documents and websites. Smartanalytics assigns the highest importance to semantics and each word'scontext or main idea.

Smart analytical software is best installed on a central server tomonitor the activities of a large population of users. The thesaurusdatabase is loaded with an extensive list of words and an comprehensivelist of contexts in which such words are typically used. The thesaurusdatabase helps create a list of contexts for the relevant words visitedin a document. When the document is an electronic webpage, includedsoftware follows any links displayed in the web page to further detailthe contexts.

The smart analytical software assigns a “context pertinence value” toeach context found in the document. The context pertinence value of agiven context determines how many restricted words associated with thatcontext are found in the document. The smart analytical softwaredetermines the most important contexts conveyed in the electronicdocument. Each word is assigned a weight that depends on how the word isdisplayed in the document. Each context is assigned a weight thatdepends on the number of words in the document that have the samecontext, the weight of those words, and the number of contexts for eachone of those words. The contexts assigned the highest weight aredetermined to be the most important contexts. If the most importantcontexts are among the restricted contexts specified in the contextsdatabase, the user is offered ads specific to that context.

As seen in FIG. 15 , SaaS 1500 comprises software instruction sets1521-1526 for enabling payments processor network server 1502 toadditionally provide consumer preferences and forecasts, or evenaudience-appropriate commercial messages 1530 to what can be thousandsof merchant transaction processors 1512-1517. For example, using thecontextual analysis detailed herein.

Software instruction set 1521 monitors consumer purchase transaction andpayment data independently communicated with individual merchanttransaction servers and a payments processor server. Excerpts andabstracts of these are stored in a database 1520.

Software instruction set 1522 identifies individual consumers from manyinstances of consumer purchase transaction and payment data coming overtime over many unrelated connections to independent merchant transactionservers. The identifications are stored in database 1520.

Software instruction set 1523 collects and organizes consumer purchaseinformation derived from the transaction and payment data according tothe consumer identities recognized. The organized collections are storedas dossiers in database 1520.

Software instruction set 1524 characterizes what is important to eachidentified consumer and forecasts what they are likely to buy fromintimations obtainable from records of what they did buy, when theybought it, what was bought in combination, where it was bought, what thetotal purchases were, and any strong correlations to other availabledata. These conclusions, consumer preferences and forecasts 1510 arekept at-the-ready in database 1520.

Software instruction set 1525 enrolls individual ones of many merchanttransaction servers connected to the payments processor server to accessconclusions calculated as to what is important to each identifiedconsumer and forecasts of what they are likely to buy. Those enrolledare maintained in database 1520.

Software instruction set 1526 enables payments processor server 1528 toservice real-time requests by enrolled ones of the merchant transactionservers for the conclusions that have been calculated. In response,database 1520 supplies individual consumer preferences and forecasts1510. The enrolled ones of the merchant transaction servers 1512-1517are enabled by the conclusions to offer messages and incentives ofinterest to a correspondingly identified consumer at the time of theirconcluding another transaction with a merchant.

Device identifications that use behavioral data to advance over simpledevice ID techniques will outperform and provide better results andlowered losses due to fraud. Behaviorally enhanced device ID istherefore a critical part of all embodiments of the present invention.It recognizes individual users will use their tools in repeatable,recognizable ways no matter what devices they are using at the moment.

It is important for merchant companies to constantly evolve theirsystems to stay in tune with developing standards, rapid technologicalchanges, and keep up with ever more sophisticated and capable fraudsterstrying to break in and abuse their systems.

Very few single dimension device ID technologies are effective in beingable to uniquely recognize devices when the legitimate devicesthemselves are changing daily. Multi-layer, multi-dimensional frauddevice identification is required now in a world where ever-more cleverthieves and surprising new malware behaviors pop up daily.

In general, multi-layer behavioral device identifications can be had bycombining multi-agent technology with case-based reasoning, real-timeprofiling, and long-term profiling. Multi-layer behavioral deviceidentifications can guarantee correct device identifications even whenmany changes and updates have occurred on the devices. Better deviceidentifications mean e-commerce can be safer and more secure foreveryone.

Smart-agents are used in the embodiments of the present invention tocreate a virtual agent for each user device. Each such virtual agent isconfigured to observe and learn the behavior of its host user deviceover time to create a device profile. The ways the user device is used,the frequency of its use, the types of actions taken, e.g., during thelast minute, ten minutes, over days/weeks/years are all intelligentlyaggregated into a profile of what's normal for this user.

FIG. 16 represents a network server method 1600 for protecting websitesfrom fraudsters. Method 1600 includes a step 1602 for accumulating andmaintaining a database of comprehensive dossiers of user deviceidentities. These identifying characteristics are fetched in a step 1604from activity reports about user-device visits to webpages as they arevolunteered by the reporting websites. The assemblage and organizationof user device identifying characteristics can be carried on over aperiod of time that can span months or even years. A step 1606 tries tomatch each newly presenting user device currently visiting a website byits identifying characteristics to a particular user device identitydossier already in the database 120.

If a match is found in a step 1608, any previous experiences with theparticular user device by this or other included websites is included ina first part calculation of a fraud score. Such first part of the scoreis computed in a step 1610. Otherwise, a step 1612 builds and adds a newfile to be inserted the database 120 for future use.

A step 1614 analyzes a sequence of webpage click navigation behaviors ofeach corresponding user device then being employed to visit a particularwebpage and website. A real person with a real purpose will navigatearound and between webpages in a particular way. Fraudsters andautomated crawlers behave very differently. A step 1616 calculates afinal or only part of the fraud score in real-time. A step 1618 isconfigured as an output which useful to assist each website indetermining whether to allow a proposed transaction to be concluded by aparticular user device. For example, a good score predetermined to beacceptable would trigger an approval of a user transaction. A marginalscore could be used to signal a call should be made, or investigatedfurther. A poor score would issue an outright denial. A red-flag scorecould be used to alert law enforcement.

Whenever a particular user device cannot be matched to any particulardossier file in the database, a new dossier file is opened up for suchuser device according to the user device identification parameters thenobtained. The determination of a fraud score is necessarily limited towhat can be surmised by analyzing the sequences of webpage clicknavigation behaviors that occurred. This limitation is reflected in thefraud score.

An endpoint client can be embedded in a webpage presented on a websiteand configured to provoke a browser in a user device to report back userdevice information, capabilities, extensions, add-ons, configurations,user device locations, and other data which are useful to sort throughand contribute to corresponding user device dossier files maintained inthe database 120. For example, FLASH PLAYER video, ACTIVEX, andJAVASCRIPT objects embedded in webpages all naturally provoke a lot ofuseful identifying and characterizing information to be reported backfrom plug-ins and extensions already present each user device.

For example, JavaScript can be used to check various non-universalphysical attributes of a particular user device, including its operatingsystem, CPU architecture, video card, screen size, and other items thatfluctuate widely in the real-world population. The data that can usuallybe obtained by JavaScript includes, user agent, Screen resolution, userlanguage, time zone offset, graphics processing unit (GPU) information,list of specific fonts availability, list of plugins, list of MimeTypes,availability of cookies, availability of HTML5 properties and methods,attributes specific to the browser, etc.

If an innocuously small Flash video is included in the webpages, itsnormal protocols can be appropriated to provide extra information madeavailable to the Flash player, e.g., information describing audio/videocodecs, printers, touchscreens, and other peripherals. The physicallocation of a user device can be discerned from its IP address using ageo-location database to get the city, latitude, and longitude. Overall,two hundred fields can be gathered together and used to identify asingle user device with high degree confidence.

A mobile endpoint client is similar to the endpoint clients used forpersonal computers. It may not always be possible to gather identifyinguser device information with a browser. So mobile endpoint clients areconstructed from small libraries of Java (for Android) or Objective C(for iOS) and included in a downloadable app. Once installed, the app isempowered to request a device ID from the mobile client. It isconfigured to gather user device information in the background and sendit to server 128 for recognition and identification.

An unnoticeable web browser is launched in the background to gather datafrom various browser-specific fields. Running now as an application, allthe system calls become available. These system calls can be used toretrieve the peculiar mobile user device's physical properties, e.g.,the iOS/Android version, the size and resolution of the screen, thecapabilities of the touchscreen, etc. The user's settings can also beaccessed, as well as a list of all the apps then installed on thisparticular user device. All this information is useful in database 120to characterize and distinguish the particular user device 120-122 froma million others.

Using IP addresses for geo-location is not entirely satisfactory, thesecan vary as a user moves around from one cell tower to the next orbetween WiFi routers. It's better to use the built-in GPS app ifavailable. Most smartphones now include these in their standard kit.

A centralizing of the collecting and maintaining of a database ofcomprehensive dossiers of user device ID's allows for a much largerpopulation to be obtained from countless user-device visits to numerouswebpages maintained by many unrelated websites. The otherwiseindependent and unrelated websites each forward user device activityreports in real-time as they occur to a single centralized server 1528that solely controls and maintains database 1520. Fraud scores arereported back to the corresponding websites, e.g., over the Internet.Such service can be by paid subscription. Embodiments of the presentinvention would be useful in commercial payment systems, peer-to-peermoney transactions, physical access controls to buildings and otherfacilities, communication-command-control applications, and in sensitivedocument control.

In general, embodiments of the present invention protect websites fromfraudsters by analyzing webpage click navigation behaviors each ofdevice visiting their webpages, and by collecting and maintainingcomprehensive dossiers of device ID's, and by producing a fraud score inreal-time to assist the website in deciding whether to allow a proposedtransaction to be concluded.

FIG. 17 represents how user devices can be accurately classified andcategorized by a five-layer identification process 1700 that includesendpoint 1701, navigation 1702, single-channel 1703, multi-channel 1704,and entity link 1705 analyses. The first classification layer 1701 isendpoint-centric, it identifies users by their behaviors and by theattribute signatures of their particular devices. Such attributesignatures can be extracted by their browsers and the informationobtained used in the identification.

An endpoint client is embedded in a web page provided by a websiteserver so it can be carried back to the user device by its browser andrun in background to gather data. When the data collection is completed,the endpoint client automatically delivers the collected data up to thewebsite server for immediate use in identifying this user device.

Smart-agent technology, data-mining, a decision tree, and case-basedreasoning are all used to find candidate matches in a large, server-sidedatabase. Such will either find a matching device or the collected datawill be used to create a new device dossier. If the user device wasrecognized, the data fields in its dossier are updated as needed.

Mobile devices have a variety of ID's built-in, some incidentally andothers unintended. For example, the Android ID is randomly generated andwill persist across phone resets. The SIM cards used universally bymobile providers in their phones provide unique identifiers, but thesecards can be freely removed and plugged into another phone by any user.There are other inherent ID's that are less reliable for our purposes,but these nevertheless can be helpful to build confidence.

The navigation-centric layer is the second layer mentioned. It is usedto track session activities and do a clickstream analysis in real-time.The user's clickstream behaviors are compared to previously observedpatterns of normal, suspect, abnormal, and malware attack activities forthis particular user and the population in general. Smart-Agents areused in these categorizations.

Clickstreams are the navigation pathways users follow through web pagesand can be tracked by the webpage servers. The order of the pages a userviews can be and which pages they visit can be quite telling and uncovertheir true motivations in the visit. An important conclusion can be madeas to whether this is a real customer legitimately engaged in shoppingor a fraudster bouncing around looking for a point of entry. Once thecurrent user has been identified, a record of their navigation clicks isconstructed and used in a behavior study to build a confidence score.

One way to follow a user's path through a web site is to look first atthe Referrer header for each page, e.g., to see where they came from. Itcan be informative to know if they arrived here from a search engine,from a competitor, from another one of the server's pages, or if theyjust typed the URL straight into their browser.

A “site depth” is assigned to each web page to represent how far or howmany clicks away it is from the home page. These statistics can be usedto see if the visitor is convincingly browsing around and up/down aproduct tree like a real user would.

Velocity counters track how fast a visitor is moving around in severaldimensions, such as their reputed location, times of day, clickstreams,items added to carts, number and length of browsing sessions, clickrates and quantities, category changes, reviews read, etc. For example,if a review is read for a product before buying it. Another importantvisitor attribute to recognize is the number of category changes theymake as they navigate. Typical users usually have a single product goalin mind, they don't bounce randomly between categories nor shop for twoor more items simultaneously.

Suspicious browsing patterns are often generated by automatedsite-crawling scripts. Long-term profiling counters are useful to trackthe number of different products users have viewed or purchased in eachcategory. The average prices and numbers of items per order are alsouseful points to remember. Big ticket buyers don't randomly drop fromthe sky unannounced. Tracking what cities and countries a user logs infrom, and what local times of day they have been active can be used todistinguish legitimate users. A lot of fraud is generated from EasternEurope, Asia, and Africa, and so those sources deserve extra scrutinyand wariness.

Any new behavior raises a red-flag and can be used to match thehistorical actions on file. If a legitimate user were to leave theiraccount logged in and a stranger sat down, or if an account is stolenwith fraud or malware, the new behavior outside historical actions wouldbe an early warning of fraud.

The third layer, is account-centric for a specific channel, such asonline sales. It monitors transactions, creates profiles associated witheach user device and analyzes real-time behavior. A combination oftechnologies are employed, e.g., smart-agent, real-time profiling,geo-profiling, recursive profiling, long-term profiling, neuralnetworks, data mining, data quality engine, fuzzy logic, business rules,and case-based reasoning.

The fourth layer is device-centric, with behavioral perspectives takenacross multiple channels of user device contact with independentmerchant servers. The device-centric layer correlates alerts andactivities for each device/user obtained from more than one channel.

Layer five includes entity link analysis, it searches for relationshipsamong the devices they encounter and the channels they employ. Theentity link analysis layer inspects users and machines in an effortdesigned to detect organized criminal activities and misuse. Forexample, all devices of a device or type should be or could expected tobe similarly affected by WINDOWS, ANDROID, or iOS system updates,patches, and new versions that occur in public and more or less aroundthe same time. These broad transformations in the population can be usedin the scoring of changes as normal/abnormal when identifying aparticular user device.

Each of the five layers 1701-1705 can by implemented with Smart-Agentsthat interact and negotiate with each other in order to reach theirindividual and collective goals. Algorithmic systems are very differentand produce less reliable results in fraud risk assessments.Smart-Agents determine how to find a solution by providing each agentwith goal information, e.g., situations that are desirable orundesirable.

Smart-Agents solve problems without needing extensive programming orsets of specific rules to be predefined that make for inflexibilitiescommon to neural networks and genetic programming. Smart-Agents are ableto effectuate runtime changes and adapt as needed.

Algorithmic programs follow successive operations applied in a fixedorder. Algorithms enable computers to repeat long suites of logicaloperations tirelessly and accurately, which is great if the algorithm isfundamentally correct. Algorithmic programs are not equipped to take anyinitiative, and cannot stray even a little bit from each fixed line ofcode. It falls on the programmer to dictate, and spell out a precisesuccession of acts that the machine should follow. Often, there are justtoo many variables to code and too many decisions that can each bewrong. Business problems requiring even a minimum amount of reasoningare impossible to transcribe into algorithmic forms. Business decisionsoften require complex integration efforts involving large numbers ofdynamic variables. And, having an algorithm available doesn't guaranteeits practicality. Modest complexities can make it unwieldy.

Neural networks are not much better, they need to be trained, and manysamples are needed in order to have a satisfactory result.Object-oriented languages require one to foresee, know, and program allthe possible methods.

Smart-Agents can get past algorithmic limitations, and it is possible todesign applications for them even when a suitable algorithm is unknown.Smart-Agents can adapt as the data they process changes. EachSmart-Agent is instructed to recognize information that favors the goalsand is therefore “good”, and information that disfavors the goals and istherefore “bad”. Such instructions enable each Smart-Agent toautomatically and autonomously make the “right” decision. Thisright-decision is referred to as the “THEN STATEMENT”, as in a classicIF-THEN programming statement. An optimum THEN STATEMENT is relativelyeasy for a programmer to coin and get right.

The intelligence in the program springs from what the programmer embedsin each THEN STATEMENT. Smart-Agents can exist in a community of agentscollected together to share a particular expertise, mimicking humansociety as they do. Smart-Agents can simulate human reasoning. EachSmart-Agent is able to operate independently according to its assignedfunctions, goals, representations of their environments, their runtimeobservations, acquired knowledge and interactions with otherSmart-Agents. Systems of Smart-Agents marshal together many autonomousagents to interact and negotiate with one another.

An application's overall solution builds from the interactions as eachSmart-Agent moves toward their respective goals.

Collections of Smart-Agents will appear to interact and negotiate toresolve complex and unpredictable problems, without any proceduralprogramming or definition of rules. Each Smart-Agent is independent ofthe others, since each one of them only affects the others by the factthat they are in favor or disfavor of a specific goal. Smart-Agents arereusable in other applications.

Goal-satisfaction mechanisms direct Smart-Agents to accept or reject oneincoming message over another. Every message is evaluated in terms ofits being in favor of, in disfavor with, or neutral to reaching of agoal. For example, a private goal, a sending agent's goal, anorganization's goal, or a system's goal. The Smart-Agents depend on eachgoal's opinion with respect to the current situation, the goal justifiesthe means. Smart-Agents can refuse messages, because they can chargemessages as being favorable, unfavorable or neutral.

A bottom-line in fraud prevention systems is to decide how a particulartransaction should be categorized. Every transaction is accepted byeither a bad (fraud) agent or a good (normal) agent.

Other technologies can be usefully combined with Smart-Agents to produceeven better results. Neural networks are a kind of algorithmic systemthat can interpret historical data and help identify trends and patternsagainst which to compare subject cases. Neural networks have theremarkable ability to solve problems related to detecting trends andpatterns that humans or other computer techniques are unable to solve.

An Artificial Neural Network (ANN) models the ways in which biologicalnervous systems process information. The brain, e.g., consists ofbillions of processors, which process a large number of tasksconcurrently. Neurons work collaboratively to solve the defined problem.Neural networks can resemble human reasoning, making them well suited tosolve pattern recognition and forecasting problems.

ANN's have two primary parts, neurons, represented by neural units; and,synapses, connections between the neurons, which send signals fromneuron to neuron. Those synapses can be excited (positive weight), orinhibited (negative weight). Most known neural networks have inputlayers for the agent to receive data from the environment, and outputlayers for the agent's potential actions. Others (like Back Propagation)have one or more intermediate layers between these two layers. Theselayers are massively interconnected, as the units on one layer areconnected to those in the next layer. Just like the factors that shape ahuman, the factors that shape a neural network are its environment andits genetic makeup. Both its initial state and its training play a rolein the ANN's development. It is through the critical training processthat ANN's are taught how to arrive at the correct answer. Awell-trained neural network will be more successful than a poorlytrained neural network. The training refers to its environment and theexperiences and samples that help shape it. The more samples andexperience a neural network receives has a direct correlation with itslikelihood of its success.

Case-based reasoning (CBR) can use past experiences or cases to solvenew problems. Each “case” is translated into a list of steps to lead toa desirable outcome. The cases are stored and organized in a database,and used as an index for similar situations later. Solutions to complexproblems can be found very quickly and accurately this way.

Being able to retrieve and manipulate past problem-solving examplesaccurately is important. Case-based systems search their case memoriesfor an existing cases that match the input “specifications”. As newcases are solved, the solutions are added to the case memory. Such willcontinue to grow the database of cases solved and increase thelikelihood of success.

The goal is to find a case that matches the input problem and thatproceeds directly to a solution. Thus making it possible to providesolutions to potentially complex problems quickly. If, on the otherhand, an exact match cannot be found, the case-based system look for asimilar one to the input situation, and then offer it as a potentialsolution.

How the system learns is when a nonperfect match is found thatnevertheless solves the problem, the case is added to the systems casememory for future use. Each case is a recipe of steps that will lead toa particular outcome. A case is a connected set of subcases that formthe problem-solving task's structure.

One of the key differences between rule-based and case-based knowledgeengineering is that automatic case-indexing techniques drasticallyreduce the need to extract and structure specific rule-like knowledgefrom an expert. CBR systems retrieve relevant cases quickly andaccurately from its memory. When a case should be selected for retrievalin similar future situations is the goal of case-indexing processes. Ascases accumulate, case generalizations can be used to defineprototypical cases that can be stored with the specific cases, improvingthe accuracy of the system in the long run.

The inductive-indexing capabilities in CBR systems provide several majoradvantages over neural networks and pattern-recognition techniques.Inductive systems can represent and learn from a wider range of featuretypes than either neural networks or pattern recognition. The ability touse richer feature sets for describing examples makes them at least asaccurate and many time more precise. Case-Based Reasoning solves complexproblems like planning, scheduling, and design by finding a similar,successful past plan, schedule, or design, and modifying it to meet thecurrent problem's needs.

Another technology that can be added in a combinational approach isFuzzy Logic. Fuzzy logic is able to account for areas that are notclearly defined. The logic can be extended to handle partial truths insituations where the answer lies somewhere in between what is true andwhat is false. Many of the big problems in organizations cannot besolved by simple yes/no or black/white programming answers. Sometimesanswers come in shades of gray, where fuzzy logic proves useful. Fuzzylogic handles imprecision or uncertainty by attaching various measuresof credibility to propositions. Fuzzy technology enables cleardefinition of problems where imperfect or partial knowledge exists, suchas when the goal is “about 12 years old” or between “all” and “nothing”.Traditional and classical logic typically categorize information intobinary patterns such as: black/white, yes/no, true/false, or day/night.

The power of fuzzy logic is exponential when it is combined with othertechnologies like genetic algorithms, neural networks, and businessrules. Many of the big problems in organizations cannot be solved bysimple yes/no or black/white programming answers. Sometimes answers comein shades of gray, this is where fuzzy logic proves useful. Fuzzy logichandles imprecision or uncertainty by attaching various measures ofcredibility to propositions.

Genetic algorithms are able to address complicated problems with manyvariables and a large number of possible outcomes, by simulating theevolutionary process of “survival of the fittest” to reach a definedgoal. They operate by generating many random answers to a problem,eliminating the worst and cross-pollinating the better answers.Repeating this elimination and regeneration process gradually improvesthe quality of the answers to an optimal or near-optimal condition. Incomputing terms, a genetic algorithm is a population of individualsrepresented by chromosomes, a set of character strings.

Genetic algorithms include three stages: building and maintaining apopulation of solutions to a problem, choosing the better solutions forrecombination with each other, and using their offspring to replacepoorer solutions. Each stage produces a new generation of possiblesolutions for a given problem.

In the first stage, an initial population of potential solutions iscreated as a starting point for the search process, each element of thepopulation is encoded into a string (the chromosome), to be manipulatedby the genetic operators. In the next stage, the performance (orfitness) of each individual of the population is evaluated with respectto the constraints imposed by the problem. Each individual of apopulation represents a possible solution to a given problem. Eachindividual is assigned a “fitness score” according to how good asolution to the problem it is. A potential solution to a problem may berepresented as a set of parameters.

Business Rules, or Expert Systems are the most widely used commercialapplications developed using artificial intelligence (AI). Many useexpert systems to solve business problems. Expert systems modelinformation at a higher level of abstraction. When these systems areimplemented well they closely resemble human logic and become morereliable and easier to maintain. The goal is for the expert system toapply heuristic knowledge to give advice or make recommendations justlike a human expert. Rules are used to represent a rule-of-thumb tospecify a group of actions performed for a given situation. Rules arecomposed of if-then statements that comprise the necessary solution. Aninference engine automatically matches facts against patterns andautomatically determines which rules are applicable. This process ofselecting rules against historical patterns will continue to repeatitself until no applicable rules remain. It is critical that theknowledge source is reliable, because the system is only as good theknowledge assimilated into the rules. One of the most difficult tasks indeveloping an expert system is extracting the knowledge from an expertso the rules can be written. The most widely known algorithms forcompiling rules are RETE and TREAT.

Data mining, or knowledge discovery, in databases is the nontrivialextraction of implicit, previously unknown and potentially usefulinformation from data. It is the search for relationships and globalpatterns that exist in large databases but are hidden among the vastamount of data. Using particular classifications, association rules andanalyzing sequences; data is extracted, analyzed and presentedgraphically. Data mining, or knowledge discovery in databases is thenontrivial extraction of implicit, previously unknown and potentiallyuseful information from data. It is the search for relationships andglobal patterns that exist in large databases but are hidden among thevast amount of data. Using particular classifications, association rulesand analyzing sequences, data is extracted, analyzed and presentedgraphically.

Data mining algorithms always requires a number of different technicalapproaches to address data cleaning, sampling, clustering, learningclassification rules, analyzing changes and detecting anomalies.

Descriptive Statistics is the process of obtaining meaningfulinformation from sets of numbers that are often too large to deal withdirectly. While it is often impossible to calculate scores for allmodels when searching a large model space, it is often feasible todescribe and calculate scores for a few equivalent classes of modelsreceiving the highest scores. Prediction methods for this sort ofproblem always assume some regularity in the probability distribution.

Real-time profiling keeps track of activities over windows time spanningseconds, minutes, hours, days, months or even years. These profiles canhighlight suspicious changes in device activities, by looking at thenumber of transactions from a device over a window of time, histories ofpayment methods, typical purchasing from the device, patterns andclickstreams of the device at the merchant's site, e-mail addressactivity from the device, ship-to and bill-to activity, etc.

Modern inventory control and retail checkout systems are capable ofproducing a lot of statistics about purchase behaviors of singleindividuals on a single visit and group behaviors over an hour, day,week, month, etc. These statistics can provide important insights intowhat consumers buy, what they buy in combination, and any correlationsto time of day, day of week, month or year. They can also providestatistics on how a particular transaction fits within a larger group oftransactions.

The place of purchase will be inherent in the statistics that can becollected. People tend not to venture very far from home or world and aretail merchant offering incentives would do well to offer theirincentives in the neighborhoods where the targeted consumers are active.The widespread use of credit cards, payment cards, loyalty cards, andpersonal mobile devices allows a payments processor to tie seeminglyunrelated purchase transactions together by the behavior of the consumerand even the device ID information obtainable rom their browsings andlog ons.

For example, payments transaction records can show where a particularconsumer has been shopping and when they most frequently shop, and whatthey shop for, e.g., groceries, gasoline, clothes, cars, etc. Patternswill often emerge that can be analyzed to forecast when and where thenext shopping trip will be and what for. An enrolled merchant canbenefit from the SaaS product services described herein by being able tosend the consumer a coupon or message that the consumer would find ofinterest and timely.

Smart analytics embodiments of the present invention analyze consumertransaction data to help merchants deliver productive messages to theircustomers and prospects according to their particular, life stages,interests, geography, spending patterns, seasonal, culture, and otherdifferentiating characteristics that can influence what they buy.

FIG. 15 illustrates a payment processor 1502 and Internet web portalconnected to service routine transactions coming from thousands ofmerchants and millions of shoppers. A software-as-a-service (SaaS) 1500is used to augment and enhance the consumer transaction services, it isused to sign up merchants. SaaS 1500 controls what features thesemerchants will have access to. For example, the merchants access theportal to collect insights into their customers' motivations andidentify potential new customers from database 1520. A principal goal isto help merchant computers artificially “understand” their customers asnon-homogenous individuals. This enables the merchants to make smarterdecision about customer needs and future behaviors to proactivelyformulate attractive and personalized commercial offers.

SaaS 1500 helps merchants identify where their best customers will spendtheir money, and then assist in directing their efforts accordingly.

Given the perspective SaaS 1500 would have in servicing thousands ofindependent merchants, it could effectively provide useful peer viewanalyses. E.g., to provide marketing awareness and assistance forcomparable merchants within a local geographic area.

As each consumer user shops in real-time and adds to their shoppingcarts it becomes possible to execute a Market Basket Analysis to spotfurther revenue optimization opportunities. For example, Up-sell andcross-sell offers by creating a group of items often bought together,e.g., bagels, cream cheese, cumber, onion, smoked salmon, and capers. Orthings bought sequentially over days or weeks, e.g., engagement ring,wedding ring, wedding arrangements, honeymoon vacation spots. Loyaltyprograms can be based on advanced association methods. Such as to rewardnew and loyal customer with offers that they want and will redeem at thepoint-of-sale in real-time.

The spending habits of customers can be followed in each individualstore, across a chain, and the user specific advertisement data can thenbe customized and adjusted based on user profiles and/or the currentclickstreams.

Horizontal/Vertical Browsing

Real-time coupon redemption can be offered at the point of interaction.Offers can be limited to those with a short distance to thepoint-of-service. Clickstream analysis for Card Not Present transactioncan help to understand how online shoppers navigate through a web site.The information can be used to customize and adjust user-specificadvertisement data. Recommendation can be made by SaaS 100 on how tobest optimize the merchant websites' workflows.

SaaS 1500 can help with Inventory Management/Supply Chain disruptions.E.g., to eliminate the expense of stock-outs and overstocks. Weather,season, weekend, before and after taxes, events, etc., can all play arole that are predictable by analyzing user behaviors. SaaS 100 isuseful in Store Operation and Store Organizations to monitor: Product,Placement, Pricing and Promotion and to understand how they impactvolume growth or decline within a brand or category. Seasonal ProductPlacement requires putting the right product in the right place at theright price at the right time.

Conventional marketing strategies can therefore be applied in verypractical ways with very affordable computer tools and systems. Forexample using, demographic baskets (clustering, family), competitorstores, comparative store sales, front store sales, inventory turnover,labor cost analysis register usage analysis, cross-selling,location-based marketing, in-store behavior analysis, customermicro-segmentation, leverage, if available, data in social media todrive effective promotions, collaborative filtering to generate “youmight also want” prompts for each product bought or visited, behavioraldevice identification for security, and offers based on behavioraldevice activities and shopping patterns of a specific device.

Individual words collected in the clickstreams flowing back to SaaS 1500can often be highly ambiguous, and specific meanings for them need tocalculated. This can be done by a computer by analyzing the contexts inwhich the words exist. Context vectors and weights are assigned by thecomputer to artificially resolve word ambiguities. The points ofinterest for the consumer are revealed, and are used as a template toscreen through appropriate commercial messages given the individualconsumers' apparent shopping interests.

A diverse kit of commercial messages are sold to and subscribed by awide variety of commercial producers of products and services. Thesecommercial producers will pay a premium for SaaS services that caneffectively deliver a relevant audience. Such is therefore a principalobject of the present invention, to profit by selling such a service.

What a user is looking for can be artificially understood by a computingmachine using context information. The context a user is working from orinto can be engaged to tune or filter the offers an artificialintelligence machine makes to end users. The context can be gleaned fromthe way the users are navigating webpages. Clues are hinted their searchkeywords as to their particular culture, geography, age, preferences,and sensibilities. Understanding the context of the users' searchkeywords and items the users click on can work like constraints todisplay increasingly more appropriate content.

It seems as though all words are ambiguous in that they have manydifferent meanings and even products can have many different uses andpurposes. A computing machine cannot naturally resolve such ambiguities,but humans do it instantly and effortlessly. Consider the words,“apple”, “attack” and movie, and the corresponding contexts each canemploy.

WORD CONTEXTS POSSIBLE apple computer, hardware, software, laptop,servers, PowerBook, iMac, iBook, ClarisWorks, AppleWorks, PowerMac,Steve Jobs, acquisitions, alliances, New York Times, TheStreet.com,Adam's apple, Fruit, New York, Computer, Red, Green, Delicious, AppleCustard, Apple Sauce, Crab Apple, Apple Butter, Apple Pie, Apple chips,Apple juice, Apple cider, industry analysis, price, or volume movementattack violence, sports, heart, war, game, illness, chemical, or agentmovie fun, film, cinema, cinematic, cinematograph, feature, flick,motion picture, moving picture, photoplay, screenplay, show, silent,silver screen, talkie, talking picture, videotape, theater, orentertainmentSimilarly, things, items, services, and products can have severalpurposes, only one of which the user will put it to. Consider thefollowing for “patent”, “kerosene”, and “acetone”.

ITEM PURPOSES POSSIBLE patent legal protection, prestige, credibility,tangible asset, bragging rights, market monopoly, scientificpublication, legacy, land deed, or to mean ″on its face″ as an adjectivekerosene engine fuel, jet fuel, lighting, heating, cleaning, dissolving,reducing, or low volatility fire acetone nail polish remover, paintcleaner, solvent, paint thinner, or as in a acetone cyanohydrinprecursor to methyl methacrylate

A method embodiment of the present invention parses each webpage or URLinto its relevant words. Contextual weights are assigned to eachextracted word according to how each is displayed in the electronicdocument. A context vector is created for each extracted word and thecontexts taken from a thesaurus database. A weight vector is associatedwith a context vector for each relevant word. The highest weightedvectors point to the most important contexts. A check is made to see ifthe current interests of the user are in line with a stored profile forthem. If not, a new profile is created. If so, then the users'; “likes”are reinforced. Both are then used to constrain the launching any ads tojust the ones that target the

SAMPLE WEBPAGE Breast Cancer Symptoms Early breast cancer usually doesnot cause pain. In fact, when breast cancer first develops, there may beno symptoms at all. But as the cancer grows, it can cause changes thatwomen should watch for: A lump or thickening in or near the breast or inthe undera rm are a . A change in the size or shape of the breast.. Adischarge from the nipple. A change in the color or feel of the skin ofthe breast, areola, or nipple (dimpled, puckered, or scaly). A womanshould see her doctor if she notices any of these changes. Most often,they are not cancer, but only a doctor can tell for sure.The relevant words are “breast”, “cancer”, “doctor”, and “symptoms”.

Relevant Words Assigned Context Vectors and Weighted

WORD CONTEXT VECTOR WEIGHT VECTOR breast (mammary, glands, nipple,cancer) (1, 1, 4, 10) cancer (disease, doctor, breast cancer) (1, 2, 5)doctor (physician, hospital, patient, disease) (1, 1, 1, 1) symptoms(disease. doctor, patient) (1, 1, 1)

So, “breast” has a vector weighted most toward “cancer”. “Cancer” has avector weighted most toward “breast cancer”. And “doctor” and “symptoms”have no obvious preferred context.

Limiting marketing efforts to those that are audience appropriate willoptimize the experience and the benefits for both the company making theoffers and the user/buyer. Ads that are relevant to the users seeingthem are more likely to generate sales.

FIG. 18 represents a method 1800 for artificial understanding of webpagecontent. A step 1802 parses a Web page, URL, or document to extract itssignificant, relevant words. A step 1804 assigns weights to these wordsbased on how the words are arranged in the electronic document. A step1806 creates a context vector for each selected word with their contextsextracted from a thesaurus database. A step 1808 creates weight vectorsthat are associated with the corresponding context vectors for eachrelevant word. A step 1810 creates a weight vector associated with thecontext vector for each relevant word. A step 1812 determines whichcontexts appear to be the most important. A step 1814 asks if thecurrent interests of the user appear to be in-line with their currentprofile? If not, a step 1816 creates new potential profile of “likes”and preferences. If so, a step 1818 reinforces the likes and preferencesalready on file. A step 1820 formulates productive ads and contentdesigned to target specific, identified audiences.

Consumer and user behaviors can have multi-dimensional ranges that canbe quantified and contributed to database 120 to identify them asindividuals and to follow their travel, spending, shopping, seasonal,event related, and “likes”.

Although particular embodiments of the present invention have beendescribed and illustrated, such is not intended to limit the invention.Modifications and changes will no doubt become apparent to those skilledin the art, and it is intended that the invention only be limited by thescope of the appended claims.

1. A computer-implemented method for examining behaviors behind paymenttransactions to assess and protect from financial losses caused byhigh-risk users, comprising: receiving, at one or more processors, aplurality of transaction records respectively corresponding to aplurality of transacting entities; generating, via the one or moreprocessors, a plurality of smart agent profiles, each of the pluralityof smart agent profiles— corresponding to a respective one of theplurality of transacting entities, reflecting a plurality of individualand expanded attributes of corresponding transaction record(s), beingstructured as one or more rolling list(s) of vectors, each rolling listof vectors corresponding to a real-time or long-term interval and beingdivided accordingly across different memory locations, pre-computing,via the one or more processors, a velocity count for and statistics ofthe plurality of individual and expanded attributes of each of theplurality of smart agent profiles; forecasting, via the one or moreprocessors, purchase behaviors for at least one of the plurality oftransacting entities at least in part based on corresponding ones of thesmart agent profiles and associated velocity counts and statistics;receiving, at the one or more processors, a new transaction recordcorresponding to a first transacting entity of the plurality oftransacting entities, the first transacting entity being associated witha first subset of the plurality of smart agent profiles; generating, viathe one or more processors, a computer fraud risk score for the newtransaction record at least in part by— stepwise advancing the computerfraud risk score, one step-up or one step-down per attribute, over theattributes reflected in the first subset of the smart agent profiles,adjusting the computer fraud risk score to reflect lesser risk if it isdetermined that the first transaction record conforms to at least one ofthe forecasted purchase behaviors, adjusting the computer fraud riskscore based on the output of a model trained on transaction records ofthe plurality of transaction records corresponding to at least two (2)of the plurality of transactional entities, the trained model beingconstructed according to one or more of: a neural network, case basedreasoning, a decision tree, a genetic algorithm, fuzzy logic, and rulesand constraints, automatically outputting the computer fraud risk scorefrom one network server to another as a machine determination relatingto fraud risk.